nmap-3.7x MUCH slower than nmap-3.55 against firewalled hosts

[Martin Mačok <martin.macok () underground cz>]

The difference is really huge - it is HOURS with 3.55 versus DAYS with
3.7[58] against firewalled C block.

Quick look at the generated traffic suggests that the problem is when
the target rate-limits outgoing ICMP unreachables (admin prohibited)
which is well handled by nmap-3.55's algorithm but sloppily handled by
nmap-3.7[58] (which is heavily retransmitting in that case). I've come
around 2 different networks this week which exhibits this behaviour
and my well experienced colleague tells that this behaviour is very
common.

Possible workaround would be some cmdline options for better limiting
the retransmition (setting --max_scan_delay is *by far* not enough to
achieve nmap-3.55's speed, I would at least like to see an option for
limiting max_successful_tryno) with sensible defaults but I would
definitely like the nmap-3.55 behaviour which is much more clever in
that case (from looking at the packet trace).

Example (53 seconds versus 1214 seconds):

% nmap -vvv -F -sS TARGET

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-12-15 13:15 CET
Host TARGET (TARGET) appears to be up ... good.
Initiating SYN Stealth Scan against TARGET (TARGET) at 13:15
Adding open port 53/tcp
Adding open port 22/tcp
Adding open port 25/tcp
Adding open port 3128/tcp
The SYN Stealth Scan took 53 seconds to scan 1220 ports.
Interesting ports on TARGET (TARGET):
(The 1214 ports scanned but not shown below are in state: filtered)
PORT     STATE  SERVICE
22/tcp   open   ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   closed http
443/tcp  closed https
3128/tcp open   squid-http

Nmap run completed -- 1 IP address (1 host up) scanned in 53.328 seconds


% nmap -vvv -F -sS TARGET

Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-15 13:20 CET
Initiating SYN Stealth Scan against TARGET (TARGET) [1223 ports] at 13:20
Discovered open port 25/tcp on TARGET
Discovered open port 22/tcp on TARGET
Discovered open port 53/tcp on TARGET
Increasing send delay for TARGET from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for TARGET from 5 to 10 due to max_successful_tryno increase to 5
Increasing send delay for TARGET from 10 to 20 due to max_successful_tryno increase to 6
Increasing send delay for TARGET from 20 to 40 due to max_successful_tryno increase to 7
Increasing send delay for TARGET from 40 to 80 due to max_successful_tryno increase to 8
Increasing send delay for TARGET from 80 to 160 due to max_successful_tryno increase to 9
Increasing send delay for TARGET from 160 to 320 due to 11 out of 18 dropped probes since last increase.
SYN Stealth Scan Timing: About 4.88% done; ETC: 13:30 (0:09:46 remaining)
Increasing send delay for TARGET from 320 to 640 due to 11 out of 12 dropped probes since last increase.
Increasing send delay for TARGET from 640 to 1000 due to 11 out of 20 dropped probes since last increase.
SYN Stealth Scan Timing: About 52.89% done; ETC: 13:39 (0:09:11 remaining)
Discovered open port 3128/tcp on TARGET
The SYN Stealth Scan took 1214.00s to scan 1223 total ports.
Host TARGET (TARGET) appears to be up ... good.
Interesting ports on TARGET (TARGET):
(The 1217 ports scanned but not shown below are in state: filtered)
PORT     STATE  SERVICE
22/tcp   open   ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   closed http
443/tcp  closed https
3128/tcp open   squid-http

Nmap run completed -- 1 IP address (1 host up) scanned in 1214.118 seconds


I can make a packet capture and upload it somewhere if needed or
provide any other info/test you want.

Martin Mačok
IT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org